b'                            UNITED STATES DEPARTMENT OF EDUCATION\n                                   OFFICE OF INSPECTOR GENERAL\n\n\n                                                      May 23, 2007\n                                                                                                           Control Number\n                                                                                                        ED-OIG/A19G0012\n\n\nWilliam Vajda\nChief Information Officer\nOffice of the Chief Information Officer\nU.S. Department of Education\n550 12th Street, SW\nWashington, DC 20202\n\n\nDear Mr. Vajda:\n\nThis Final Audit Report, (Control Number ED-OIG/A19G0012) presents the results of our\naudit of the Termination of EDNet Access for Separated Employees. The objectives of our audit\nwere (1) to determine whether access to the Department of Education (Department) Network\n(EDNet) was terminated timely for employees who separated from the Department, and (2) in\ncases where access was not terminated timely, determine whether separated employees accessed\nEDNet after their departure, and if so, assess the impact of that access. Overall, we found\nimprovements are needed in the Department\xe2\x80\x99s process for terminating EDNet access for\nseparated employees.\n\n\n\n\n                                                 BACKGROUND\n\n\n\nEDNet is a major information system that supports primary information technology (IT) services\nfor the Department and also serves as the chief communications link between Headquarters\xe2\x80\x99\noffices and the various regional and satellite offices. It is comprised of the network\ninfrastructure (routers, local area network cables, servers, etc.), desktops, standard desktop\nsoftware and email, Blackberries, printers, and telephony.\n\nThe system is owned and operated by the Office of the Chief Information Officer (OCIO), whose\nresponsibilities include management of the Department\xe2\x80\x99s IT Security Program for automated\ninformation systems, and development of agency-wide policy for the protection and control of\ninformation resources directly or indirectly related to the activities of the Department. This\nincludes policies and procedures related to the creation, modification, and termination of EDNet\nuser accounts. To assist in the achievement of its principal objectives, the Department awarded a\n\n\n\n         Our mission is to ensure equal access to education and to promote educational excellence throughout the Nation.\n\x0cFinal Audit Report\nED-OIG/A19G0012                                                                                        Page 2 of 12\n\ncontract for EDNet services effective May 1, 2005. The EDNet contractor provides IT support\nservices including user account management.\n\nThe account termination process, as described by Department officials and the EDNet contractor,\nrequires communication within each Principal Office (PO), as well as coordination between the\nPOs, contractor-operated Help Desk, and OCIO. Within the PO, supervisors must notify their\nExecutive Officer when they learn an employee is leaving or has been terminated. They must\nalso complete an Account Termination Form (ATF) and submit this for approval by the PO IT\nCoordinator. The PO IT Coordinator approves and submits the ATF to the Help Desk for\nprocessing.\n\nWhen the ATF is received, the Help Desk creates an electronic record (Help Desk Ticket) to\ntrack the request. The Help Desk Ticket must be forwarded to the EDNet Account Manager, an\nOCIO employee, for review and approval before any further action is taken. If approved, the\nEDNet Account Manager sends the request back to the Help Desk, who disables the individual\xe2\x80\x99s\nEDNet access and marks their account for deletion. 1 After 15 workdays, the Help Desk deletes\nthe account from the Active Directory (AD), a listing of all network accounts.\n\nOngoing monitoring occurs in the form of account revalidations, performed by OCIO at the end\nof each month to identify accounts that have not been accessed over the previous 90 days. A list\nof inactive accounts is provided to the POs for confirmation of employee status. If the PO\ndetermines an employee has separated from the Department, it notifies the EDNet Account\nManager, who completes and submits an ATF to the Help Desk for processing.\n\n\n\n\n                                            AUDIT RESULTS\n\n\n\nWe found improvements are needed in the Department\xe2\x80\x99s process for terminating EDNet access\nfor separated employees. We determined requests for account terminations were not submitted\ntimely, documentation of Help Desk actions was not always maintained, and procedures\nestablished to identify users whose accounts should be removed were not followed. As a result,\naccounts belonging to former employees remained active after their separation from the\nDepartment. Because these accounts remained active, six permanently separated individuals\naccessed their email accounts after their separation date. These separated employees may have\nused the Department\xe2\x80\x99s computer systems for unauthorized purposes.\n\nIn its response to the draft audit report, OCIO concurred with the finding and all associated\nrecommendations. OCIO proposed corrective actions to strengthen controls to ensure the timely\n\n\n1\n  It is important to note that disabled accounts are no longer active and cannot be accessed by the separated\nemployee. The account disable period exists so that, should anything occur that would require the account to be re-\nenabled (i.e., need for user files, etc.), it can be done so relatively easily.\n\x0cFinal Audit Report\nED-OIG/A19G0012                                                                                       Page 3 of 12\n\nand coordinated termination of EDNet access for separated employees. The complete text of the\nresponse is included as Attachment 4 to this report.\n\n\nFINDING \xe2\x80\x93 Improvements Are Needed in the Department\xe2\x80\x99s Process for\nTerminating EDNet Access for Separated Employees\n\nWe reviewed data related to personnel who separated from the Department in Fiscal Year (FY)\n2006 and noted the following:\n\n    \xe2\x80\xa2\t POs did not request the termination of EDNet access for separated employees in\n       accordance with established standards. Specifically, POs did not submit ATFs used to\n       start this process in a timely manner. Of the 389 accounts for which PO-initiated Help\n       Desk Tickets were located, 195 (50 percent) included ATFs that were submitted more\n       than 2 workdays after the employee\xe2\x80\x99s departure from the Department (see Attachment\n       1). On average, POs waited 11 workdays after the employee\xe2\x80\x99s separation date before\n       submitting an ATF to the Help Desk for processing. We noted failure to submit ATFs in\n       a timely manner was systemic throughout the Department. 2\n\n    \xe2\x80\xa2\t Help Desk Tickets were not available for 83 of the 487 accounts (17 percent) that were\n       no longer in the AD or were inactive.\n\n    \xe2\x80\xa2\t Procedures designed to identify users whose accounts should be removed were not\n       followed. Specifically, we found the Office of Management\xe2\x80\x99s (OM) Human Resources\n       Systems Team (HRS) no longer provides OCIO with a biweekly report on personnel\n       changes.\n\nHandbook OCIO-01, Handbook for Information Assurance Security Policy (Handbook), dated\nMarch 31, 2006, Section 4.1.5, states,\n\n        Supervisors shall notify system administrators within two (2) business days of the\n        departure of employees and contractors; notification shall be immediate in the case of\n        involuntary separation. System access for voluntarily separated personnel shall be\n        terminated as soon as possible, but no later than two business days of notification.\n        Access for involuntarily separated personnel shall be revoked immediately. This applies\n        to passwords, account user IDs, and all other access devices. When an employee or\n        contractor\xe2\x80\x99s termination is processed, system administrators must be advised immediately\n        by the designated supervisor to disable or delete all accounts.\n\nStandard Operating Procedure OCIO Computer Help Desk (Help Desk SOPs), dated October\n12, 2006, Section 3.5.2, states,\n\n2\n In discussions with OCIO and Help Desk staff, and through review of the EDNet Access Control and Help Desk\nSOPs, it was noted that ATFs are the expected form of notification when requesting the termination of an\nemployee\xe2\x80\x99s accounts, and that all accounts should be disabled within 48 hours of an employee\xe2\x80\x99s separation from the\nDepartment. This would require that POs notify system administrators within two (2) business days of departure, as\nspecified in the Handbook. Help Desk staff further stated requests lacking ATFs will not be processed.\n\x0cFinal Audit Report\nED-OIG/A19G0012                                                                         Page 4 of 12\n\n\n       Closing the OCIO Computer Help Desk Ticket is the final step in problem resolution.\n       The OCIO Computer Help Desk is responsible for closing all OCIO Computer Help Desk\n       Tickets.\n\n       The OCIO Computer Help Desk Ticket is available for a specified period for [service\n       level agreement] SLA reporting, Root Cause Analysis, and Customer Status requests. At\n       specified intervals, the Closed OCIO Computer Help Desk Tickets are archived or purged\n       from the Problem Management System database.\n\nThe EDNet Support Services Contract (Contract) also includes documentation requirements for\nHelp Desk service requests. Table 71 (Help Desk Administration Roles and Responsibilities)\nstates the EDNet contractor shall,\n\n       \xe2\x80\xa6Provide a system to document, manage and track all requests for service, problem\n       reports and inquiries regardless of the means by which the request is submitted (e.g.,\n       telephone, email, fax, direct online input by end-users, etc.), \xe2\x80\xa6 Monitor and track all\n       requests for service to closure.\n\nAccording to Standard Operating Procedure EDNet Access Control (EDNet Access Control\nSOPs), dated March 22, 2006, Section 7.4, OM HRS provides OCIO and the Help Desk with a\nbiweekly report on personnel changes in the Department. This procedure is intended to lessen\nsecurity risks and support the EDNet security policy to maintain the integrity of the user\ndatabase. Upon receipt of the report, the Help Desk updates the EDNet Exchange and Windows\naccount database.\n\nAs shown in Attachment 2, a lack of clear guidance regarding the account termination process\nin various Departmental policies and procedures contributed to delays in the termination of\nEDNet accounts for separated employees. For example, Departmental Directive OM: 3-104\n(Directive), Clearance of Personnel for Separation or Transfer, does not explicitly state that POs\nmust complete and submit an ATF to the Help Desk when an employee separates from the\nDepartment. Although ensuring the termination of network access is listed as a responsibility of\nthe Executive/Administrative Officer on an attachment to the Directive, how this is to be done,\nand in what time frame, is not addressed. As further shown in Attachment 2, there is conflicting\nguidance relating to responsibilities and timeliness requirements in the Handbook for\nInformation Assurance Security Policy, Information Technology Security Controls Reference\nGuide, and EDNet System Security Plan.\n\nWe found there is no specific time requirement for the retention of documentation related to\naccount terminations in the Department\xe2\x80\x99s policies and procedures, EDNet Access Control and\nHelp Desk SOPs, or the Contract. We contacted the EDNet contractor to determine how an\naccount could be disabled without an associated Help Desk Ticket, either generated per PO\nrequest or as a result of the name appearing on the 90-day inactivity report, but the contractor\nwas unable to provide a definitive explanation. We asked if the Help Desk Tickets were purged\nor archived from the system, as specified in the Help Desk SOPs, but contractor staff were\nunable to confirm whether or not this occurred.\n\x0cFinal Audit Report\nED-OIG/A19G0012                                                                           Page 5 of 12\n\nWe learned the decision to discontinue use of OM HRS\xe2\x80\x99 biweekly personnel change report was\nmade by OCIO in September 2005. OCIO staff stated the EDNet contractor was already\nproducing a 90-day report that listed inactive accounts as part of its revalidation process, and that\nthe OM HRS report often included extraneous information (i.e., data on individuals changing\nPOs, changes in the status of interns and other temporary employees, etc.) that made it difficult\nto determine which accounts needed to be terminated and which ones were to remain active. We\nwere also told that because the biweekly report came from the payroll system, it was generally\nabout three weeks behind. As a result, by the time OCIO obtained the list of names, the\nemployees had been separated for weeks.\n\nFailure to terminate access for separated employees may result in the exploitation of computer\nsystems for unauthorized use. It also increases the vulnerability of agencies to fraud and abuse.\n\nWithout adequate documentation to support requests for account terminations and actions taken,\nthe Department lacks assurance that accounts have been terminated in accordance with\nestablished policies and procedures. This may also result in an inability to track requests\ninternally, provide feedback when customers seek updates, and assess the overall efficiency and\neffectiveness of the process.\n\nFailure to coordinate with OM HRS prevents OCIO and Help Desk staff from identifying\ninactive accounts in a more timely manner (i.e., sooner than after 90 days of inactivity). In\naddition, because the 90-day report identifies only those accounts that have been inactive, it is\npossible that employees who left the Department but did not have their accounts terminated\ncould continue to access the system(s) and never show on the EDNet contractor\xe2\x80\x99s report.\n\nInterim Audit Memorandum Issued\n\nWe issued an interim audit memorandum entitled, \xe2\x80\x9cTermination of EDNet Access for Separated\nEmployees,\xe2\x80\x9d to OCIO on December 12, 2006. The memorandum included the names of 45\nindividuals who separated from the Department in FY 2006 but remained in the AD as of\nOctober 25, 2006. OCIO responded, indicating that the accounts for all but 13 individuals, who\nwere determined to be active employees, were subsequently deleted. We determined these\nindividuals returned to the Department after separating in FY 2006.\n\nWe determined six of the permanently separated individuals accessed their email accounts after\ntheir separation date. Although this represents only a small percentage of employees who\nseparated from the Department in FY 2006, the impact of just one individual accessing a system\nwith malicious intent could be substantial. We are currently conducting further analyses to\ndetermine whether any of these individuals accessed other Department systems, and for what\npurpose. Due to the time required to complete these analyses, the results are not included in this\naudit report.\n\nRecommendations:\n\nWe recommend that the Chief Information Officer take the following actions to ensure EDNet\naccess for separated employees is terminated in a timely manner:\n\x0cFinal Audit Report\nED-OIG/A19G0012                                                                       Page 6 of 12\n\n   1.1 Review the Handbook for Information Assurance Security Policy, Information\n       Technology Security Controls Reference Guide, the Department\xe2\x80\x99s Directive on the\n       Clearance of Personnel for Separation or Transfer, and the EDNet System Security Plan\n       and make revisions, as necessary, to ensure consistency of guidance with regard to\n       timeliness of notification of separation, method of notification (ATF or other acceptable\n       form), and account termination. Consider consolidating some of these documents, if\n       feasible, to reduce duplication and confusion.\n\n   1.2 Revise the clearance form (ED Form EP2) to require PO Information Technology\n       coordinators to certify that an ATF has been completed and will be submitted to the Help\n       Desk immediately upon the employee\xe2\x80\x99s separation from the Department.\n\n   1.3 Amend the Department\xe2\x80\x99s policies and procedures, EDNet Access Control and Help Desk\n       SOPs, and the Contract to establish consistent guidance on the retention period for\n       requests and other supporting documentation related to account terminations, as well as\n       archiving and purging procedures and timeframes.\n\n   1.4 Work with OM HRS to develop and implement a report for biweekly submission that\n       includes only the names of those individuals who separated from the Department in the\n       preceding pay period, and other information deemed relevant to OCIO. Ensure the\n       appropriate termination of EDNet access for all separated employees.\n\nOCIO Response:\n\nIn its response to the draft report, OCIO concurred with the finding and all associated\nrecommendations. OCIO stated it will revise policies and procedures to ensure consistency of\nguidance with regard to the timeliness of notification of account terminations, as well as the\nretention period for related requests, and consolidate documentation where feasible to reduce\nduplication and confusion. In addition, it will revise the clearance form to require PO IT\ncoordinators to certify that an ATF has been completed and submitted when an employee leaves\nthe Department. Furthermore, OCIO will work with OM HRS to implement a process for\nacquiring a biweekly report of recent employee separations. OCIO also noted it expects to make\nsignificant improvements to the EDNet security posture after the award of the Managed Services\nSecurity Provided (MSSP) and EDUCATE acquisitions.\n\n\n\n\n                                   OTHER MATTERS\n\n\n\nDuring our review, we noted no warning against unauthorized access of systems is provided\nwhen individuals attempt to log in to their email accounts remotely via Outlook Web Access\n(http://email.ed.gov). Such a warning not only would serve as a possible deterrent and valuable\nsecurity practice, but also is required by law.\n\x0cFinal Audit Report\nED-OIG/A19G0012                                                                          Page 7 of 12\n\nThe Department\xe2\x80\x99s Information Technology Security Controls Reference Guide, referencing\nPublic Law 99-474, states that, \xe2\x80\x9c\xe2\x80\xa6if a system uses any external telecommunications mediums\n(e.g. dial-up, Internet, etc), a warning banner must appear before the log-on sequence.\xe2\x80\x9d\nFurthermore, the banner, \xe2\x80\x9cmust state that the system is a U.S. Government system, information\ncontained in it is \xe2\x80\x98For Official Use Only\xe2\x80\x99 (\xe2\x80\x9c[sic] FOUO), and that attempts to illegally log on to\nthe system could lead to criminal prosecution punishable by fines or imprisonment.\xe2\x80\x9d\n\nThe Handbook for Information Assurance Security Policy states,\n\n       Department computers and IT systems must display a sign-on warning banner at\n       all log-on points, where technically practical. . .. At a minimum, warning banners\n       must state that the use of the Department IT systems is subject to monitoring and\n       is for limited personal use by Department personnel; all data contained on\n       Department IT systems are property of the U.S. Government; and there can be no\n       expectation of personal privacy on the Department IT systems.\n\nWe also noted the clearance form (Attachment 3) does not require employees to certify that they\nwill not attempt to access their email or any other systems once they have left the Department.\n\nWe suggest the CIO take the necessary steps to bring the Department into compliance with the\nlaw as well as Department policy. We also suggest that the CIO revise the clearance form to\nprovide for the appropriate employee certification regarding unauthorized system access.\n\nOCIO responded to the Other Matters presented, stating it has already implemented a new\nwarning banner on Outlook Web Access. OCIO also indicated it will revise the clearance form\nto require employees to certify that they will not attempt to access their email or any other\nsystems once they have left the Department.\n\n\n\n\n                     OBJECTIVES, SCOPE, and METHODOLOGY\n\n\nThe objectives of our audit were (1) to determine whether access to EDNet was terminated\ntimely for employees who separated from the Department, and (2) in cases where access was not\nterminated timely, determine whether separated employees accessed EDNet after their departure,\nand if so, assess the impact of that access. To accomplish our objectives, we performed a review\nof internal control applicable to the account termination process. We reviewed applicable laws\nand regulations, and Department and EDNet contractor policies and procedures. We conducted\ninterviews with Department officials and EDNet contractor staff to gain an understanding of how\nEDNet accounts are terminated.\n\nThe scope of our review included employees who separated from the Department during FY\n2006. We obtained a list of employees who separated from the Department in FY 2006 from\nOM HRS. This list contained 530 records. We compared these records to a list of deleted\n\x0cFinal Audit Report\nED-OIG/A19G0012                                                                         Page 8 of 12\n\naccounts obtained from the OCIO to determine if and when user accounts were deleted. We also\ncompared the list of separated employees to a list of accounts in the AD obtained from the\nEDNet contractor to determine whether any accounts remained active after an employee\nseparated from the Department. See table below for a breakout of accounts:\n\n                                Description                                Count\n           Separated Employee, No AD Account                                394\n           Separated Employee, Inactive AD Account                           93\n           Separated Employee, Active AD Account                             43\n           TOTAL                                                            530\n\n\nWe determined that 487 of the 530 accounts belonging to employees who separated from the\nDepartment in FY 2006 were no longer in the AD or were inactive as of October 25, 2006. We\nevaluated the timeliness of account terminations for these 487 accounts. To do this, we reviewed\nthe Help Desk Tickets generated by the EDNet contractor upon receipt of each ATF. We located\nHelp Desk Tickets for 404 of the 487 employees (83 percent) whose accounts were no longer\nactive. We determined 14 of these were generated by the EDNet Account Manager as a result of\nthe individual appearing on the 90-day inactivity list, meaning an ATF was likely never\nsubmitted by the PO. These 14 were not included in our analysis of timeliness as a result. We\nalso judgmentally decided to remove one name because the account was disabled months before\nthe PO submitted the ATF.\n\nWe reviewed the Help Desk Tickets for the remaining 389 accounts to determine the average\ntime between an employee\xe2\x80\x99s separation from the Department and PO submission of an ATF. We\nalso reviewed the Help Desk Tickets to determine the average time between receipt of an ATF\nand disabling of the account by the EDNet contractor.\n\nWe relied on computer-processed data initially obtained from OM HRS to identify the universe\nof employees who separated from the Department in FY 2006. An alternate data source was not\navailable to directly test the accuracy or completeness of this data. As a result, we were not able\nto validate the reliability of the data provided by OM HRS. However, because this data was used\nas a starting point for the reconciliation process, we deemed it sufficiently reliable for purposes\nof our audit.\n\nWe conducted fieldwork at Department offices in Washington, DC, during the period of October\n11, 2006 through January 30, 2007. We provided our audit results to OCIO staff during an exit\nconference conducted on February 20, 2007. Our audit was performed in accordance with\ngenerally accepted government auditing standards appropriate to the scope of the review\ndescribed above.\n\x0cFinal Audit Report\nED-OIG/A19G0012                                                                         Page 9 of 12\n\n\n\n                            ADMINISTRATIVE MATTERS\n\n\n\nCorrective actions proposed (resolution phase) and implemented (closure phase) by your office\nwill be monitored and tracked through the Department\xe2\x80\x99s Audit Accountability and Resolution\nTracking System (AARTS). Department policy requires that you develop a final corrective\naction plan (CAP) for our review in the automated system within 30 days of the issuance of this\nreport. The CAP should set forth the specific action items, and targeted completion dates,\nnecessary to implement final corrective actions on the finding and recommendation contained in\nthis final audit report.\n\nIn accordance with the Inspector General Act of 1978, as amended, the Office of Inspector\nGeneral is required to report to Congress twice a year on the audits that remain unresolved after\nsix months from the date of issuance.\n\nStatements that managerial practices need improvements, as well as other conclusions and\nrecommendations in this report, represent the opinions of the Office of Inspector General.\nDeterminations of corrective action to be taken will be made by the appropriate Department of\nEducation officials.\n\nIn accordance with the Freedom of Information Act (5 U.S.C. \xc2\xa7 522), reports issued by the\nOffice of Inspector General are available to members of the press and general public to the extent\ninformation contained therein is not subject to exemptions in the Act.\n\nWe appreciate the cooperation provided to us during this review. Should you have any\nquestions concerning this report, please call Michele Weaver-Dugan at (202) 245-6941.\nPlease refer to the control number in all correspondence related to the report.\n\n                                      Sincerely, \n\n\n\n\n                                      George A. Rippey /s/ \n\n                                      Acting Assistant Inspector General for Audit Services \n\n\n\ncc: \t   Sally Budd, Chief of Staff\n        Stephanie Hammes, Audit Liaison Officer\n\nAttachments\n\x0cFinal Audit Report\nED-OIG/A19G0012                                                                                     Page 10 of 12\n\n                                               Attachment 1\n\n            No. of accounts for No. of accounts for which                               Average no. of days\n             which Help Desk     ATF was NOT submitted by                             between separation date\n               Tickets were     the PO within 2 workdays of Percent NOT submitted in per OM and submission of\n    PO           located:             separation date:          a timely manner:     ATF (per Help Desk Ticket):\nFSA                          99                         46                    46.46%                          9\nIES                          13                         12                    92.31%                        13\nNAGB                          1                          1                   100.00%                          3\nNIL                           1                          0                     0.00%                         (2)\nOCFO                         21                          5                    23.81%                          6\nOCIO                          9                          3                    33.33%                        10\nOCO                          19                         16                    84.21%                        19\nOCR                          38                         20                    52.63%                        19\nODS                           4                          0                     0.00%                          1\nOELA                          1                          1                   100.00%                        12\nOESE                         19                          8                    42.11%                          8\nOGC                           2                          1                    50.00%                        58\nOIG                          21                          2                     9.52%                          6\nOII                           9                          8                    88.89%                        23\nOLCA                          2                          2                   100.00%                        20\nOM                           24                         10                    41.67%                        10\nOPE                          21                          5                    23.81%                          1\nOPEPD                        10                          4                    40.00%                          4\nOS                           22                          8                    36.36%                        13\nOSDFS                         6                          4                    66.67%                          7\nOSERS                        36                         33                    91.67%                        17\nOUS                           2                          0                     0.00%                          0\nOVAE                          9                          6                    66.67%                        24\nTOTALS                   389                         195                    50.13%\n\x0cFinal Audit Report\nED-OIG/A19G0012                                                                           Page 11 of 12\n\n                                          Attachment 2\n\n          Criteria             Deactivation for      Deactivation     Identified Action   Use of ATF\n                                  Voluntary        for Involuntary        Officials       Included in\n                                 Separation          Separation                             Criteria\n Section 4.1.5 of the        Two work days for     Immediately        Supervisor and          No\n Handbook for Information    a supervisor to                          System\n Assurance Security Policy   notify system                            Administrators\n                             administrators of\n                             employee\xe2\x80\x99s\n                             separation and then\n                             up to two\n                             additional work\n                             days after\n                             notification for\n                             account termination\n Section 4.1.1 of the        Within 24 hours of    Immediately        Not established         No\n Information Technology      the employee\xe2\x80\x99s\n Security Controls           separation from the\n Reference Guide             Department\n Section VI.E of the         Not established       Not established    Executive Officer       No\n Directive on Clearance of                                            and OCIO\n Personnel for Separation\n or Transfer, and ED Form\n EP2\n Section 5.1.3.1.5 of the    Within 24 hours of    Within 24 hours    Principal Office        No\n EDNet System Security       notification          of notification,   Coordinator or\n Plan                                              or immediately     Computer Security\n                                                   if requested       Officer and EDNet\n                                                                      Account Manager\n\x0cFinal Audit Report\nED-OIG/A19G0012                                                                                            Page 12 of 12\n\n                                                         Attachment 3\n\n\n              Clearance of Personnel for Separation or Transfer\n   Name of employee (Last, First, and Middle Initial)\n\n   Forwarding address                           Name of organization\n\n                                                Building and room #    Office Phone #       Home Phone #\n\n   Reason for separation\n        Resignation                      Retirement               Other (specify)\n        Transfer to another              Involuntary\n   ____________________________________\n        federal agency                   separation\n   ____________________________________\n   Date SF 52 initiated     Date of separation              Position sensitive          Position non-sensitive\n\n                              Part I \xe2\x80\x93 Executive/Administrative Officer\n   A. Appropriate action must be taken to obtain clearances in the areas shown below.\n     Do NOT check boxes until clearances are obtained.\n       Advanced annual leave (# of hours _____) Travel advances\n       Advanced sick leave (# of hours _____)         Property release\n       Computer property                             Training agreements\n       Network access terminated                     Service agreements\n       Data files                                    Overpayments (one example is Salary Overpayments)\n\n     Comments\n   ______________________________________________________________________________\n   Exit interview \xe2\x80\x93 GS-15 and above                    Date clearance package issued to employee\n       Yes         No\n   B. Must be cleared by last day\n     Do NOT check boxes until clearances are obtained.\n        Parking permit                           Office property\n        Photo ID                                 Telephone calling cards\n        Transit benefits                         Travel card\n\n       Comments\n   ______________________________________________________________________________\n                                        Part II \xe2\x80\x93 Security Services\n   Do NOT check boxes until clearances are obtained\n      Security determination (debriefed)          Special ID Pass\n                                                 Certification\n   I understand that if I have outstanding obligations    Signature of employee            Date\n   that have not been satisfied before my last day in\n   the Department that my final paycheck and lump\n   sum annual leave will not be released. I also\n   understand that my retirement fund may be offset.\n   (5 U.S. Code 5514)\n   For return of government purchase card.                Signature of OCFO/CAM            Date\n\n   Employee cleared all items. Arrangements have          Signature of Executive           Date\n   been made for the employee to make restitution for     Officer\n   monies owed.\n                                                    ED Form EP2\n\x0c                                             Attachment 4\n\n\n                         UNlTED STATES DEPARTMENT OF EDUCATION\n                                ornCE or TJJE CJJllf INf U1ll\'lKflON DHICEJI\n\n\n\n\nDATE:          May 11. 2007\n\nTO:            George Rippey\n               Acting Assistant Inspector General for Audit Services\n               Office of Inspe clqr   4 ene#i\\\nFROM:          William Vajda\n               Chief Information O ffiCft.\n               Office of the Chief Inf0\'{Jatlon Officer\n\nSUBJECT:       Response to Draft Audit Report ED-OIG/At9G0012\n\nThank you for your draft audit report, Termination of EONet Access for Separated Employees, ED\xc2\xad\nOIGIA 19GOO12 dated March 19th, 2007. The Department sincerely values the audit activity conducted\nby the Office of the Inspector General (OIG) and appreciates the benefits of the collaborative\nenvironment between OIG and the Department. formed through many years of partnering and the\nsharing of mutual goals and objectives. The Department concurs with all findings described in the\naforementioned audit report.\n\nStrong logical access control polices and procedures are essential to ensuring that information\nresources and the information that they process, store and transmit are adequately protected by\nmaintaining confidentiality, integrity and availability. The Department concurs with the OIG\'s findings\nthat weaknesses exist in the implementation of logical access control, particularly in the areas of AC-1 .\nAccess Control Policies and Procedures, AC-2. Account Management and AC-3. Access Enforcement\nas promulgated by NIST Special Publication 800-53, Recommended Security Controls for Federal\nInformation Systems and the Department\'s policies for access control.\n\nThe Office of the Chief Information Officer (OCIO) in coordination with the Office of Management (OM)\nfully intends to implement the recommendations of the OIG in strengthening access controls on EDNet\nthrough tim~ly and coordinated termination of logical access as mandated by policy. Additionally. the\nDepartment expects to make significant improvements to the EDNet security posture after the award of\nthe Managed Services Security Provider (MSSP) and EDUCATE acquisitions.\n\nCorrective Action Plan\n\nTable 1.0 describes the corrective actions that will take place to remediate the findings presented by\nthe OIG. Proposed corrective actions will be entered in the AARTS and as each finding is completed,\nevidence demonstrating remediation will be submitted to the Office of the Chief Financial Officer\n(OCFO) for records management by the Post Audit Group (PAG).\n\n\n\n\n                              400 ;\\.\'/IRYlAS D f ,\\\'r.\xe2\x80\xa2 S.W.\xe2\x80\xa2   W .\\~Hll\':r.To..",.   DC 2\' D2fJ1--13S0\n                                                         \'<"1\\",.,. \\U II\'1\\\n\x0c                                                                Table 1.0 Corrective ActioD Plao\n\n\n\n                                                                                                     IS necmary 10\n                                                                                          luidUl~e  with regard IO timeliMSI of notiiicalion of\n                                                                                          accou nt lemlinltion. Funhermorc, tho: Depar1ment\n                                                                                          will coruolidlte documentation ...."her1: reasiblc 10\n                                                                                          rduce dupl ication and confusion\n\n\n\n\n                    T\xc2\xabhnology COllrdi""ton to certify that In ATF hu been c~kted Ind\n                    will be submitted to the ho:lp dc$k immediately upon the cmploycc\'s                              an A TF hu been\n\n\n\n\n                                                                                                                        cotiry that\n                                                                                          not   .tte~l lo\n                                                                                                       access the" email or any other\n                                                                                          systems on\xc2\xab they have left tho: Dcpanmc:n1.\n\n\n\n\nCC:\nMichell Clark, Assistant Secretary for Management, OM\nBrian Burns, Deputy Cia, OCIO\nJerry L Davis, Director, Information Assurance, OCIO\nCorey Wells, Senior Advisor to OCID\n\x0c'